Threat Intelligence - FSISAC feed error

I am having an issue configuring a feed directly to FSISAC. This particular feed requires a client certificate which I have uploaded via the configuration page. I have managed to configure this feed in a separate taxii client, but have been unsuccessful with QRadar.

We do have a web proxy which I have configured for no authentication and no https inspection for this particular domain. I have also placed the website certificate for analysis.fsisac.com in /opt/qradar/conf/trusted_certificates.

I receive the error message below that the TAXII server is unavailable due to SSL problems. I have successfully connected other TAXII feeds on http and https protocols, but this is the first that requires a client certificate also.

6 answers

We were able to get this working. I ended up having to create a certificate chain that included the following, in this order. FSISAC Client Certificate -> Client Certificate Private Key -> Analysis.fsisac.com host certificate -> Intermediate Certificate -> Root Certificate. I then used this certificate chain in .pem format and uploaded it within the Threat Intelligence app when i configured the feed.

Hello, Can you please open a PMR and attach the logs from the docker container (please also include the /var/log/qradar.log and qradar.error). To go into the docker container: #docker ps (this will show your docker container ) #docker exec -it bash #cd /store/log You can attach the: app.log, poll.log, startup.log and supervisord.log. Thanks

People who like this

I'm having similar problems (with a different feed though) and I have a PMR that's been open for a while now. Last thing they said to me is they found a bug in the code and would fix it for the next version